Created 04-22-2016 06:22 AM
Hello,
I have SUSE11 SP4 machine where I have installed and configured HDP2.3, YARN, MapReduce, etc. from Ambari UI where also I have entered the SSH private key during the cluste setup. Currently, I can log in via ssh session with this private key which is also used by Ambari. As I see a secuity risk here, if I change the private key on the machine for the user, how can I change the SSH private key in Ambari? I have tried using this article: https://cwiki.apache.org/confluence/display/AMBARI/Installing+ambari-agent+on+target+hosts but I constantly get either "HTTP/1.1 500 Server Error" using curl or "403 Full authentication is required to access this resource" using the Chrome Advanced REST client.
So my question is - is there a way after changing my user private key to change it also in Ambari?
Thank you!
Created 04-22-2016 06:33 AM
If i get you correctly, the private key is only used once by ambari while bootstrap the nodes at time of registration.
Later on if you change the private key it will have no impact on your cluster. So no need to change the updated private key in ambari.
Created on 04-22-2016 06:32 AM - edited 08-19-2019 04:21 AM
The SSH Key you have provided, Ambari uses it for bootstrapping new node ( installing ambari agent etc. ), If you have already added nodes and installed components on them then there should be no issues, if you want to add new node and before adding new nodes your private key got changed, there should not be an issue because at the time of adding new node, Ambari should ask you for the private key again.
See below screenshot
Note - Passwordless SSH required between Ambari server and Ambari agent nodes only at the time of bootstrapping, once ambari-agent is up and running then communication between master and slave components happens over RPC, they don't need SSH for communication(Except for SSHFencing between two NNs if HA is configured)
Created 04-22-2016 06:33 AM
@vpoornalingam - Please correct If my understanding is incorrect over here
Created 04-05-2017 09:32 AM
I have lost id_rsa private key file, now I need to add two more nodes, will it be possible to add the new datanodes? What is the solution for this? Can I generate new keygen and can I apply the new private key in Ambari?
Thanks in Advance.
Regards,
Ram
Created 04-22-2016 06:32 AM
Elitsa,
There are two ways to register hosts with Ambari: automatically via SSH by supplying a private key to Ambari (as you have done) or manually (by running yum install ambari-agent on the host, modifying /etc/ambari-agent/conf/ambari-agent.ini's "hostname" line to the Ambari's hostname, and running "ambari agent start").
When using the SSH method, Ambari does NOT store the SSH private key that you supplied (it is used once to do passwordless SSH into the server to set up the agent and discarded). So there's no way or need to "change the private key" in Ambari.
Created 04-22-2016 06:33 AM
If i get you correctly, the private key is only used once by ambari while bootstrap the nodes at time of registration.
Later on if you change the private key it will have no impact on your cluster. So no need to change the updated private key in ambari.
Created 04-22-2016 07:16 AM
Yes, this is what I wanted to know. If the key is used once only during the first bootstrap then I have no security issue with the private key login.
THANK YOU!